Grails Database Session Plugin June 6, 2012 | 02:07 pm

I’ve done a fair bit of updating to the Grails Database Session Plugin (originally written by Burt Beckwith), and
it is now released. The plugin solves the problem of cloud services often not having sticky sessions/session affinity, so as soon as you ramp up a second Grails application, you’re losing sessions now and again.

If you want more information on this plugin, check out this month’s GroovyMag (June 2012), where I’ve got an article going over the whole thing, including the differences in implementations, a peak under the hood, and extensive details on how to use the plugin. A summary version of it is available in the README file.

BTW, if you’d like a free copy of this month’s GroovyMag, tweet me and let me know: I have a few coupons to share around.

Programmers need to know math! June 2, 2012 | 08:12 pm

OK, I’m wigging out again. The debate has come up *again* as to whether or not programmers need to know math. The answer, in my mind, is an unarguable “yes”. If you don’t, then many things will be extremely hard, and some things impossible, which people who do know the math will find quite easy. But rather than take the high road, and make vague and unconvincing general arguments, I thought I’d dive down into the details and list the higher level mathematics I’ve found useful in my programming career. Note that the high school level mathematics- algebra, geometry, trigonometry, I’m going to ignore. This is the higher level stuff- stuff mathematicians think is mathematics. This is a personal list, and off the top of my head, so it is no doubt incomplete.

Let’s start with graph theory. If there is on branch of mathematics a programmer can’t live without, this would be it. It’s about things (nodes) that have relationships (edges) with other things. Like cities connected by roads. Or- in the more programaticaly useful, objects with pointers to each other. Pretty much all data structures are graphs. Run the standard graph theory algorithms to find out which objects can be reached from some set of root objects, and you have a garbage collector. Or how about this: functions that call other functions- the functions are the nodes, edges represent that one function calls another. Reachable algorithms tell you what functions can be dispensed with. Do a clique finding algorithm, and this determines which sets of functions for recursive loops. And so on. ‘Cmon, people- damned near everything we do as programmers is dealing with things that have relationships to other things.

Next up is linear algebra. Want to do 3D programming? Welcome to linear algebra. Lots and lots of linear algebra. Learning quaternions and geometric algebra is probably a good idea too- but linear algebra is a requirement. But linear algebra is useful for way more than that. Lots of other forms of mathematics (for example, graph theory) tend to reduce to linear algebra. Machine learning also uses linear algebra heavily- if you want to write an algorithmic trading platform or a search engine, better brush up on your linear algebra. Add in a dash of calculus, and you’re solving systems of non-linear equations (via Newton-Kantorovich).

Numerical analysis is how to implement linear algebra is the real world (i.e. on computers). Also, it covers the care and feeding of floating point numbers. If I were king, programmers would be required to pass a class on numerical analysis before being allowed to use floats.

Abstract algebra and number theory are useful for cryptography, random number generation, hashing, error detection, and a couple of other things. For example, 2′s complement arithmetic makes perfect sense once you realize that it’s just arithmetic modulo 2n.

Statistics. How could I forget statistics? There is more to statistics than Bayes theorem (and Bayesian reasoning), but for that alone it is indispensable.

I’m not sure what branch of mathematics Fourier transform falls over, but it’s another one that shows up all over. Including weird places, like multiplying large numbers.

There are a lot of “little branches” of mathematics, which aren’t full disciplines themselves, but are still worth learning. Knowing the relational calculus makes SQL make a more sense, knowing the Pi Calculus makes Erlang make a lot more sense, knowing the Lambda Calculus makes Lisp and Haskell make a lot more sense, and so on. Being able to at least read and follow the mathematicians gives insights into the fundamentals of what is going on.

For the record, I don’t know category theory, and don’t feel any deep seated need to learn it either. I haven’t got my head around geometric algebra yet, and I want to take a swing at algebraic topology at some point (to take a deep approach to relativity and quantum mechanics). Speaking from experience, it’s certainly not necessary to learn Haskell or figure out monads.

But, at the end of the day, there’s this. Programming is about solving problems- that why anyone cares about it. What’s important isn’t the code produced, it’s the problems solved. And mathematics is about how to solve problems. How do these two things not go together like peas in a pod? Richard Feynman once compared knowing different mathematics to having extra tools in your tool chest. Not all mathematics is applicable to all problems, granted- but learning mathematics is like learning new APIs, or new languages. It allows us to solve problems we otherwise couldn’t.

Open Source Drop: GitHub as a Maven Repo for Gradle, a JSON parser library and client, and JavaCC Plugin for Gradle April 23, 2012 | 03:19 pm

This is an announcement of a bunch of open source code that I’ve just released.

Using GitHub as a Maven Repository for Gradle

If you’re using Gradle for your JVM builds (and you should be) and GitHub for your open source project infrastructure (and you should be), then you might be pleasantly surprised to know that you can use GitHub as a Maven repository, which means that your library can be deployed to and served from GitHub’s own cloud infrastructure.

Your clients add this line to their Gradle build scripts:

apply from:""

And at that point, they can draw from anything deployed on GitHub. Good times!

For more information (including the five lines of code necessary for you to deploy to GitHub), see the README for the RobertFischer/gradle-github-dev project.

JSON Parser Library

A long while back, I was pissed off at the available JSON parsing libraries, so I wrote my own JavaCC-drived JSON parser library. It supports a fair bit of the broken JSON that is out in the wild, and is screaming fast. For more information, see the README for the RobertFischer/json-parser project.

JSON Client for the JVM: Resty

I’ve been playing around with a bunch of different JSON clients for interacting with a REST service (GitHub’s API v3) on the JVM, and I didn’t really like any of them. All of them felt WAAAAAAAAAAAY too Java-y, and I was looking for something much simpler. RESTClient for Groovy was nice, but I had trouble debugging the errors going to and from the server. After much searching, the best I found was beders’s Resty library, but it had a problem in that it couldn’t parse JSON arrays at the top level. So I forked it.

You can check out my version of Resty, which uses my more fault-tolerant and faster JavaCC JSON parser (see above) and can parse top-level arrays. There’s also substantially improved error handling, and it’s now built using Gradle instead of Maven because XML’s pointy brackets make my eyes bleed.

JavaCC/JJTree Compiler Plugin for Gradle

Finally, I’ve updated my JavaCC/JJTree compiler plugin for Gradle. This also involved updating the compiler-base plugin. Both were overdue for an update to support Gradle 1.0, and updating them was really a joy, since it meant ripping out a lot of bad code and replacing it with newfangled Gradle API calls.

What programming language should I use? February 22, 2012 | 08:56 pm

My answer to the question: what programming language should I use? Also answers the question: when should I use programming language X?

Silly flow chart.

The above is, obviously, IMHO. And if your favorite programming language isn’t represented here, feel free to assume I’m just fundamentally an evil person.

Gradle, Lift, and Google App Engine January 21, 2012 | 08:34 pm

I’m getting back into the game a little bit, and I decided to take a look at Lift for web development. After an initially promising experience, I became totally unhappy with Eclipse (it began forgetting I had Google App Engine libraries on the classpath after every clean). So I moved back to the command line. The recommendation to use Simple Build Tool or Maven for Lift put me off: SBT is pretty weak for a build tool, and Maven is…well…Maven, off to download the Internet. So I went back to Gradle.

For the record, I’m using Objectify for my Google App Engine development, because JPA gets you into that whole ugly ORM conceptual space without need: there’s no “R” in GAE, so you might as well deal with it in a more natural way.

So, given that situation, I came up with this build.gradle script. (Forgive the ugly organization, but this is actually the relevant points extracted from a multi-project build.)

buildscript {
   repositories {
      add(new org.apache.ivy.plugins.resolver.URLResolver()) {
          name = 'GitHub'
          addArtifactPattern '[organisation]/[module]/[module]-[revision].[ext]'
  dependencies {
    classpath "bmuschko:gradle-gae-plugin:$gaePluginVersion"
apply plugin:'java'
// Buildscript dependencies and repositories
repositories {
  mavenRepo name:'scala-releases', url:''
  mavenRepo name:'objectify-appengine-releases', url:''
  mavenRepo name:'sonatype-releases', url:''
  mavenRepo name:'sonatype-snapshots', url:''
  add(new org.apache.ivy.plugins.resolver.URLResolver()) {
      name = 'GitHub'
      addArtifactPattern '[organisation]/[module]/[module]-[revision].[ext]'
// Universal dependencies
dependencies {
  compile "org.encog:encog-core:$encogVersion",
  testCompile "junit:junit:4.5"
// Now the Scala stuff
apply plugin: 'scala'
dependencies {
  scalaTools "org.scala-lang:scala-compiler:$scalaVersion",
   compile "org.scala-lang:scala-library:$scalaVersion"
  testCompile "org.scala-tools.testing:specs:1.6.1",
apply plugin:'war'
dependencies {
  compile "net.liftweb:lift-webkit_$scalaVersion:$liftVersion",
  testCompile 'org.mortbay.jetty:jetty-util:6.1.22',
  providedCompile 'javax.servlet:servlet-api:2.5'
apply plugin: 'gae'
dependencies {
    compile "com.googlecode.objectify:objectify:$objectifyVersion"
    gaeSdk "$gaeVersion"
gae {
  downloadSdk = true
  disableUpdateCheck = true // Error with HTTPS
  appcfg {
    email = '[email protected]'
    logs {
      append = true
      severity = 1
      ouputFile = file('build/logs.txt')

I stash versions in the file, which looks like this (it’s a lot more details than you actually need):

scalaVersion = 2.9.1
liftVersion = 2.4-RC1
gaePluginVersion = 0.5.2
objectifyVersion = 4.0a2
guavaVersion = 11.0.1
commonsLang3Version = 3.1
commonsLangVersion = 2.6
commonsIoVersion = 2.1
commonsCollectionsVersion = 3.2.1
encogVersion = 3.1.0-SNAPSHOT
androidPluginVersion = 1.1.0
slf4jVersion = 1.6.4
gaeVersion = 1.6.1

If you start Lift up at this point (using gradle gaeRun), there are errors about Lift not having permission to mess with the thread pool.

Now, here’s the amazing magic trick which I found documented nowhere but discovered while digging through the Lift source code. It’s an astounding and miraculous trick which is necessary in order to get Lift to work on Google App Engine.

In the file ./src/main/resources/props/default.props, make sure to have this set:


That’s it. You do that, Google App Engine works. You don’t do that, it won’t. Magic!

Back Again to There: A Nontheistic Statement of Faithiness January 20, 2012 | 10:47 am

[Editor’s Note: This is a follow-up to There and Back Again. If you haven’t read that post, start there (including the comments) and then come back.]

I finally figured out what was bothering me. While driving to the Science Online 2012 open mic night and listening to Jon Watts’ Lifted Up, I suddenly had an epiphany. Suddenly, things made sense. And it all came back to a mathematical formalism.

The formalism is the disproof by contradiction. That formalism can be colloquially expressed this way: if assuming X leads to a conclusion of not-X, then not-X is true. In this case, the specific expression is as follows: assuming rationality forms the foundation of lifestyle and morality, I have found rationality cannot form the foundation of lifestyle and morality. Therefore, rationality cannot form the foundation of lifestyle and morality.

This is a radical transformation. It is much more radical than anything else I have encountered, because it dislodges and renders impotent any question about why an action should take. This is fundamentally different than the ethical/lifestyle systems proposed to me, and it is easy to see why once you spell them out.

  • Enlightened hedonism, for instance, might claim that they are acting on this philosophy, because they are optimizing the phenomenologically self-justifying good of pleasure. Humanism or utilitarianism, insofar as they might justify themselves through enlightened hedonism, are also founded on this argument. Yet the self-justifying good of pleasure is a course that has to be maximized, and therefore there are better and worse ways of being in the world, and rationality is presumed to be critical in determining which ways are better and which ways are worse.
  • My position is actually more skeptical than the skeptics. The skeptics presume that one should live based on rational claims and oppose non-rational claims. Yet rationality itself is self-defeating, and so does not stand up to the skeptic’s own standards. (Skeptics refusing to apply their own standards to themselves is a recurring problem I have with skepticism as a community, BTW: a case in point.)
  • I don’t know much about Buddhism, but my understanding is that its core teaching is that attachment is the source of suffering, and so the goal is to not be attached to outcomes. If that’s true, than in a way, I’m more Buddhist than the Buddhists, because I’m also not attached to not being attached. (And I must admit, I do feel like I have reached a sense of Enlightenment.)

My new standpoint is the ultimate “Fuck it, let’s go bowling.” philosophy, and so I have adopted the Dude’s answer as a hyper-absurdist effort to counteract the rationalist trap. As soon as you engage a rational argument, you’re playing that ultimately self-defeating game again. Yet what is true or not true does not matter, not because of any statement about the value of truth or nihilism, but because fuck it, let’s go bowling. Why I believe something or act a certain way is not a question I have to answer, because fuck it, let’s go bowling. I’m not optimizing my happiness. I’m not striving towards an ethical life. I’m not playing into a grand narrative. I’m fuck it, let’s go bowling.

When I realized this — when I realized that my nagging issue with rationality leading to irrationality was that it proved rationality was false, and when I really realized how deep the denial of rationality went, then suddenly I was free. I saw the world differently in a moment. It was astounding.

Now, some of you may be saying, “Took you long enough.” There are a lot of people out there who have criticized me for thinking too much. I couldn’t just let stuff go, however, as long as there seemed to be compelling ethical mandates—or even the promise of compelling ethical mandates just under the next book cover. But that effort has not only yielded nothing, but actually outright self-destructed. Now I’m free of the mandate; that’s what it would take, and it finally go there: rationality is self-defeating.

(BTW, I should note that “Fuck it, let’s go bowling” is actually Walter’s line, not the Dude’s, but it so perfectly sums up the philosophy that I’m sticking to it. And besides, fuck it, let’s go bowling.)

(Also BTW, if you’d like to prove to me that rationality can form the foundation of lifestyle and morality, you’re welcome to try in the comments. Start by listing off all your presumptions. I’ll even give you Cogito, ergo sum for free, although you have to presume or argue any nouns you’d like to drive from those verbs. Also, please keep in mind that Hume pretty well destroyed inductive reasoning, so arguments from science are first going to have to undo Hume.)

There and Back Again: A Journey Into and Out of Faith January 15, 2012 | 02:00 pm

The gods forgot that they made me
So I forget them, too
I dance among their shadows
I play among their graves

(David Bowie, “Seven”)

Science tells us we are merely beasts, but we don’t feel like that. We feel like angels trapped inside the bodies of beasts, forever craving transcendence.
(VS Ramachandran, cognitive neuroscientist)

For the last few years, I have been a seminary student. Although hardly “evangelical”, I entered seminary with a strong faith in a benevolent God that I attached to Christianity. During my time in seminary, my experience with the Society of Friends (Quakers) and my (notably extracurricular) reading of Leo Tolstoy’s presentation of Christianity strengthened my faith quite a bit. I believed that an incarnated God had laid out a proper mode of life and that the right focus for life was transformation into the unsullied image of that incarnated God. It was a standpoint that I was very comfortable with and very excited by, and it shaped how I made decisions and where I placed value. For more on those beliefs, see my other blog and my Ask a Quaker guest post on Rachel Held Evans’ blog.

At the end of last semester, however, that all collapsed, and I am left as a kind of weak atheist. The post mortem of my faith is a complicated narrative: there is no simple cause of death. Many people who leave seminary as weak atheists (including Bart Ehrman, who teaches at The Other School), entered as evangelicals or fundamentalists. When their self-authorizing and monolithic interpretation of the Bible is pummeled to dust and the faux-rational Christianity is revealed to be a mess of paradox, their faith becomes shaken and they end up leaving seminary as atheist-materialists, often with the same evangelical zeal for atheist materialism that they had for Christianity. Although that’s a common story, it’s not mine.

My Christianity has not been fundamentalist or evangelical: instead, it has been an on-again/off-again relationship. I became an ardent atheist as a teenager, even self-identifying as a LaVeyan Satanist at times. This came from recognizing only two kinds of Christianity as a child: a kind of weak Protestant liberalism on the one hand, and a kind of overbearing Protestant fundamentalism on the other. The first did not seem to actually require anything distinctly Christian, and the latter did not seem to actually engage reality. Yet even in my most atheistic of moments, I had a sense of spirituality—a sense that the modern narrative of the utterly isolated individual was somehow wrong, and that the union of individuals was holistic and synergistic. In college, I encountered a moderate liberal Christianity in the “neo-orthodox” vein. Its arguments convinced me: Christianity taught a proper ordering of the individual, which is truly to be in a properly ordered community.

Despite neo-orthodox teachings, though, simply going to church and doing the nonproductive repetition of the liturgy didn’t seem to satisfy that spiritual aspect. I joined Freemasonry (eventually becoming 32nd degree in the Scottish Rite) and continued to study esoterica, including the (publicly accessible) teachings of the A∴A∴. At this point, my Christianity began to wane into a kind of Calvinist-flavored deism. That’s when things suddenly changed.

Up to this point, I never had a real sense of relationship with God. Prayer had never established a “relationship” with God, except in the kind of one-sided relationship that I have with my favorite TV or book characters. (Sarah Howell has an excellent blog post called “Prayer Doesn’t Work“, and it sounds exactly like my thoughts on the matter…but with more apparent faith remaining.) For some reason, however, I suddenly had a sense of “calling”. This was not the kind of “calling” that comes from careful reasoned thought and the recommendations of others: this was a strong sense that something beyond me was calling me into seminary. It was a profound and constant pull, and it did not seem to originate from within me nor did it seem to be under my control. The feeling was amazing and profound, and after some time I had no choice but to relent to the calling—it was that powerful.

I moved to Durham and started attending seminary. While there, my faith was transformed but did not weaken. Without a doubt, however, I was challenged. There were a number of things I had taken on faith because it was where “all scholars agreed”. These points, however, were rapidly removed as I discovered just how little agreement there is among scholars, and how artificial the points of agreement are: in theology, there are certain axiomatic claims that are required in order to be a part of the conversation (e.g. get published in a particular journal), and these axiomatic claims then become the points of seeming universal agreement. Similarly, I discovered just how contextual and utterly Western the creeds are, which reduced my respect for them down to effectively nil. That wasn’t the hardest blow, though.

Most damaging, however, was discovering just how interested the church was (and is!) in reifying and reinforcing boundaries between people-groups—a horror especially when contrasted with the church’s relative disinterest in helping the poor and actually behaving like Jesus taught. This was a major problem for me, because the core assertion of neo-orthodoxy is that the church somehow contained and embodied the right interpretation of Jesus’s teachings. Yet the practices of the church (both historically and presently) and the places where the church spends its time are so utterly different from the model of Jesus that I could no longer trust in the tradition of the church. In the history of the church, the truly holy—even those obviously aspiring to be truly holy—seemed to be the rare and precious exception, not the norm. How could I trust that institution to teach and transform me into holiness if it consistently failed to do so for everyone else?

At the same time as I encountered these struggles, I encountered the tradition that I draw from Gandhi’s Christian followers (e.g. J.C. Kumarappa), Martin Luther King, Jr., Leo Tolstoy (esp. What I Believe), Christian agrarianism, and the early Quakers. These people had an alternative take on Christianity focused on the Sermon on the Mount. It was a spiritually and socially conscious Christianity, and it seemed to be the true tradition of Jesus. This became the Christianity that I identified with, although I eventually quietly dropped the active use of the “Christian” label because of flak from Christians who thought I didn’t meet the minimum requirements for it. That fight rapidly became exhausting, and the benefits of keeping the label were rapidly offset by the annoyingly constant challenges.

The end of my faith, however, came through the study of cognitive science, and especially the cognitive science of religion. Through all of this, my faith was backed up by that sense of calling. No matter what else happened, no matter how else I made sense of reality, I had to account for this experience of being moved by something beyond myself. However, through studying cognitive science, I discovered an entirely reasonable explanation. From David Eagleman’s Incognito (and reinforced by VS Ramachandran’s The Tell-Tale Brain), I learned that the mind can experience an emergent subconscious as being an utterly alien presence.

The clincher, however, came when I read Harvey Whitehouse’s Modes of Religiosity. In there, Whitehouse lays out (with strong empirical evidence) how the ideas contained within repetitious and ritualized practices become “sleeper agents” in the brain, surfacing to make sense of strange or disquieting experience. This expression of the practices’ ideas are experienced/interpreted as spontaneous expressions of divine presence or ordering.

This was, in short, exactly what I experienced. My only experience of the divine now had an entirely this-worldly explanation. Without that support column, my faith rapidly crumbled. My Tolstoy-Quaker religiosity was all stipulated on the existence of God, and I no longer have any basis to believe in the Christian God. Although some are more than happy to be a part of a religious community that affirms something they don’t actually believe in, I am not. I am still processing my relationship to Quakerism, but in terms of my relationship to Christianity, I’m out.

Now, at this point in atheist conversion narratives, people sometimes start to talk about how free they felt and how great it is that they were no longer shackled by the expectations of their faith community. This is definitely not my experience. At the end of the day, I am a child of the Enlightenment: I have a commitment to rationality and to living my life in a rational way. All systems of rationality, however, need their axioms. Nietzsche and the existentialists showed that there is no intrinsic value in the world, but Christianity was a counter to this nihilism, providing a set of axioms and a guiding methodology for life. Without Christianity, I am back to the world of nihilism. Rationality no longer has a foothold by which to guide life.

Asking around, the only advice I find from atheists is to “do what you want”, but what should I want? Like all humans, my desires are utterly mutable—the very existence of marketing and psychotherapy is because of this fact. (Not to mention operant conditioning! I’m reminded of The Big Bang Theory on this point.) If I don’t take control of my desires’ mutations, I am simply submitting yourself to the vicissitudes of corporate marketing departments and political spin-meisters. Like the Machines in The Matrix, politics and capitalism are constantly consuming humanity and feeding us illusions. Evidence suggests that playing into their illusion is a path to a life of quiet despair, yet with no values, there is no guide about what desires actually are good or bad to pursue. Satisfaction and reward are both stipulated on accomplishment, which itself presumes a set of values.

Worst of all, though, this idea that you should “do what you want” seems like it is an utterly un-rational punchline to an extensive pro-rational argument. Be rational and doubt everything. Be rational and be a skeptic. Be rational and seek the truth. But once you do all of that, forget being rational, because it can’t help you anymore. I was happier and more satisfied as a Christian: it was a sick trick to lure me out of that joyful place with rationality, just to drop me in a place of nihilistic disillusionment and then tell me I should abandon rationality and seek a joyful place.

This frustration is compounded by the fact that I have little in common with evangelical atheism and its promissory materialism. I find most self-proclaimed skeptics to be annoyingly un-skeptical, but instead committed to their own particular materialist dogmas (e.g. Michael Shermer, as I discuss in this book review). The problem of qualia still prevents me from buying that the only thing that exists is the “physical world” as science constitutes it, or from taking the only philosophically defensible materialist stance—namely, that subjectivity doesn’t exist (e.g. Daniel Dennett, as I discuss in this book review). I am inclined towards John Searle’s “biological naturalism” conception of consciousness, but it’d be nice if we had any idea how physical material could produce whatever it is that qualia are. The question of “the mind’s eye” (which some people don’t have!) might be an interesting angle of attack, since it puts the question in sharp focus…

Since subjectivity exists, I still have space for a kind of hollow “spirituality”. Surprisingly, little has changed on that front: God is now absent, but God was never particularly present before, despite my earnest desires. Since the Bible drops out with Christianity, my interpretation and expression of spirituality is now more purely phenomenological rather than theological. The existence of mirror neurons and the human ability to have a theory of mind means that I am still able to have an intersubjective spirituality, as well. This has actually sharpened my interest in the spirituality of sexuality, which has been a long-running interest of mine.

Right now, I am struggling to re-situate myself. I am haunted by Camus’ question: “In a world without God, why not commit suicide?” (For his answer, see here.) I am reconsidering all of the projects, dreams, and relationships that I used to have, trying to see if they can still retain some kind of joy and impetus in the face of my epic disillusionment. I have continued on with the projects which are hold-overs from before the disillusionment, trying to retain some kind of momentum. But ultimately, I now live in a world which feels flat, and I am living a life without direction. Thanks a lot, Rationality.

[Editor’s Note: This post has a follow-up at Back Again to There.]

My Introduction to ScienceOnline (#scio12) January 15, 2012 | 09:32 am

This upcoming weekend, I will be attending ScienceOnline 2012. For years, I’d heard whisperings about the science conference that Duke’s own “Mister Sugar” helped organize, but my interest was never quite piqued enough to attend. This year, I heard AV Flox and Jason Goldman were coming, and that was enough to push me overboard. Since following it, I’ve gotten really excited: from the science of tattoos (and tattoos of science) to The Monti storytelling to questions about open data, it should really be a fascinating time. The Twitter community alone (follow @scio12) has been great, so getting to meet these people face-to-face should be even better.

One of the things to do is to introduce yourself on your blog, so here goes.

Although my background spans mathematics, computer science, and software development, my most recent movement has been into a seminary. I have spent the last thee years chasing after the Big Questions at Duke Divinity School. During this time, I have became entranced by the intersection of mind, the brain, the body, and society: it began with a paper asking, “What does it mean to have pets?”, which led me to read about the psychological and physiological transformation in canine domestication (as mirrored in the Siberian Fox experiment). Ever since, I have been pursuing the scientific and philosophical treatments of cognitive science, especially cognitive neuroscience and neuroeconomics. I’m particularly interested in the relationship between cognition (especially decision-making) and social engagement, as well as in experiences of empathy and mirror neurons. Sexuality and religiosity/spirituality are two especially interesting influences within that scope. I have submitted my application to do doctoral work in cognitive neuroscience, and hope to enroll in a program this Fall.

OS-X: Using Tor for All HTTPS Connections December 13, 2011 | 01:29 pm

I am a big fan of Tor, especially as the Great Firewall of America is going up. I previously posted instructions on how to set up Tor on OS-X, and I wanted to update that guide a bit.

One of the problems with Tor is that the entry nodes and exit nodes can see your raw traffic. This is just the nature of the beast: sooner or later, someone is going to see everything. And it’s still better than the entire internet seeing your raw traffic and having it mapped directly back to your IP address, which is the default mode on the internet.

HTTPS, for all its flaws, basically solves this problem. It provides the encryption necessary to obscure traffic going over Tor. So the common advice was to be cognizant of whether you were going over HTTP or HTTPS and to never transmit any personally identifying information over HTTP, because that would compromise your Tor anonymity. This is, suffice it to say, tricky.

While poking around my Network Settings on OS-X, I discovered something interesting: you can specify per-protocol proxies. So, instead of using a blanket proxy for my web browser, I now simply set my system to use an HTTPS proxy. Problem solved. HTTP traffic goes directly over the Internet, and HTTPS traffic goes over Tor. In theory, someone could correlate my HTTP and HTTPS traffic if a website uses both (e.g. serving up static content over HTTP, dynamic over HTTPS), but that’s both unlikely and not really my concern. If I want total anonymity at the cost of routing HTTP over Tor, I’ll fire up Firefox and click my Torbutton.

Similarly, I can set up just a SOCKS proxy, so anything that speaks at that low of a level can route its traffic through Tor.

The way to do this is to hop into System Preferences > Network > Advanced… > Proxies. Click on Secure Web Proxy (HTTPS) and set the server to localhost and the port (the part after the colon) as 8118. Then click on SOCKS Proxy and set the server to localhost and the port (the part after the colon) as 9050. You have to click Advanced... for each interface that you want to route over Tor.


Time for More Tor: How to Set It Up August 11, 2011 | 09:24 am

It is looking like the US government is going to pass a bill which requires your ISP to track everything you do on the internet and store that information for 12 months: see here for more. This means that every website you visit and every plaintext password you send across the internet will be tracked. If you or a website you visit sends anything across HTTP, it’ll be tracked. And God knows how the ISPs might be compelled to try to hack your HTTPS/SSL connections: Bruce Schneier has a lot of evidence that SSL isn’t safe, especially if your ISP is the one hacking it. (On this note, also see here.)

So, here’s a guide on how to circumvent your ISP’s ability to record all your personal information. I’m using OS-X and Firefox, and I’m assuming you are, too. If you’re on Windows, I’m sorry, and hopefully you can figure it out. If you’re on Linux, clearly you’re too smart to need a guide like this.

The first thing to do is install Tor. Y’know that common scene in the movies (e.g. Mission Impossible) where the l33t h4x0r has routed their connection all over Hell and back, and it’s a pain in the ass for the evil police officers to track down? Yeah, that’s Tor. Tor (which is short for The Onion Router) routes your traffic through a series of other servers in a nice, encrypted format. It starts by connecting to an “Entry Node”, then running through a series of routers, and finally the “Exit Node” proxies your request to the website. This means that instead of your traffic coming from your computer, it is (from a security and practical standpoint) coming from the Exit Node. Your ISP can no longer track what you’re doing. Pretty nifty.

The problem is that you have to have a minimal amount of trust for the Exit Node. And, of course, you have no real reason to do that. So we have to take a few more steps to really protect ourselves.

First, Tor requires a bit of configuration. With Tor off, edit your torrc file. On OS-X, it will be in ~/Library/Vidalia/torrc. Change the ControlPort setting to anything other than its default value: anything in the 9xxx or 10xxx range is usually free, and changing it protects against a simple attack an Exit Node can launch against you. Second, you don’t really want to deal with an Exit Node in certain countries (e.g. China, North Korea), so add a line which reads:
ExcludeExitNodes {cn},{kp}
You can add other countries to the list if you’d like: just look up their two-digit ISO country code and add it in brackets to the comma-seperated list. Keep in mind that this only limits the exit nodes, not the entry or intermediate nodes, but since intermediate nodes don’t know either where the traffic is coming from or where it is ultimately going, that’s fine. If you want to specify a particular country for your exit node, you can do that, too:
ExitNodes {us}
There’s no security benefit to limiting your exit node to a particular country, but it may make certain websites work a bit better if you limit the exit nodes to country whose primary language is one you can read. There may also be certain advantages to making sure your exit node and your computer are on as disparate networks as possible (especially where “disparate” means “not subject to the same police force”), but at the point when you’re worrying about that, you’re in a situation which is more dire/paranoid than this guide can help with.

Here are some other settings you can add to your torrc file, which may improve performance:

# Use hardware acceleration if you have it (does nothing if you don't)
HardwareAccel 1
# Don't write to disk if you can avoid it (important for SSD)
AvoidDiskWrites 1
# Number of seconds to wait for a circuit to be built
# In newer versions of Tor, this is an adaptive number, so it's really only a hint
CircuitBuildTimeout 20
# How many seconds to wait before we clean up unused circuits  
CircuitIdleTimeout 3600
# Number of seconds before we give up on a circuit and try a different one
CircuitStreamTimeout 240
# How often to consider building a new circuit
NewCircuitPeriod 10
# How old can a circuit get in seconds
MaxCircuitDirtiness 28800
# How long do we divorce host/exit node associations in seconds
# Lower values randomize your connections more often (which may be more secure) 
# Higher values are better for performance
# Default is 1800 (30 minutes)
TrackHostExitsExpire 300
# The number of long-term entry nodes we use (default 3)
NumEntryGuards 5
# Set this to the number of CPUs that you have on your hardware
NumCPUs 4

If you are running a computer which is on for extended periods of time (i.e. not a laptop), then you actually get significantly better security by running a relay. The following instructions are just for OS-X: in the Vidalia Control Panel (that thing that pops up when you click on the onion in the menu bar and select “Control Panel”), click “Settings”. Under “Sharing”, click “Relay Traffic for the Tor network”, and give yourself an awesome name (without spaces) in the “Nickname” field below. Then click “OK”. You can muck about with the other settings later. The advantage of doing this is that you are now generating traffic which is not yours from your computer. So if you ever access the internet from outside of Tor, there’s at least effort required to determine if that access is on your behalf or on the behalf of someone on the Tor network. More information and discussion of possible security downsides are here: Do I get better anonymity if I run a Tor relay?

Next up: configuring Firefox. First of all, go into Tools > Add-Ons > Torbutton > Preferences > Security Settings > Start-Up and have your Firefox boot immediately into Tor. You simply don’t want to do anything else. Once you’ve got that set up, go poke around at the other options and set it to work the way you’d like. If you don’t understand an option, then leave it checked if it is marked as “crucial” or “recommended”, or leave it as the default if it is any other way.

Now, to deal with that pesky Exit Node trust problem. There are two parts to this solution: first, install HTTPS Everywhere by going that link and clicking the big “Encrypt the Web: Install HTTPS Everywhere” image. (I know it doesn’t look like a button or link, but it is. Usability fail.) Once you’ve got HTTPS Everywhere installed, you’re automatically going to start creating SSL links to a variety of popular services. This SSL provides an added layer of security. And, although it is possible for a particular Exit Node to try to launch an attack against your SSL connection, the fact that your network exit node is indeterminate and transitory helps security quite a bit. This brings us to the second part of the solution: STOP ACCEPTING BROKEN HTTPS CERTIFICATES. Everyone does it (including Bruce Schneier), but as soon as you do that, just assume the information you are sending across the connection is broadcast everywhere, because it may as well be.

If you want to go really hardcore, you can add a few more HTTPS Everywhere rules by grabbing my rules from my GitHub repo and extracting them into ~/Library/Application Support/Firefox/Profiles/*/HTTPSEverywhereUserRules. That adds quite a few more rules.

For the final step of configuring Firefox, follow Tor’s own instructions on improving Firefox performance (the “Procedure 1″ bit). This changes a few defaults to more proxy-friendly options, and makes a substantial improvement in Firefox’s speed when running in Tor mode.

Other plug-ins I’d recommend for Firefox are BetterPrivacy and AdBlock Plus, both of which help with privacy. Set Firefox to log you out of every site when you are closing down. Master Password can help by allowing you to have one password on your Firefox and then it will store your totally random passwords used for all the other websites: you won’t need to memorize them, because Master Password will have taken care of it.

What about things other than web browsing? To get other programs to use Tor (I’m particularly fond of routing DropBox/SugarSync through Tor), find their Preferences pane, then try to find the “Connection” or “Proxy” window. Set it up as an HTTP proxy running through the host localhost at the port 8118. To get command line systems to use Tor, set the HTTP_PROXY system property to the value “http://localhost:8118″.

At this point, as long as you’re running from within Tor and over SSL, you’re reasonably secure. Yes, there are still attacks that can get you: welcome the internet. But at least you’ll wiggle out from underneath the kind of blanket surveillance that the U.S. government seems to think is a great idea. Anything you access from HTTP (not HTTPS) is still a problem, so shift to using HTTPS-protected log-ins (e.g. OpenID, Facebook Connect) for non-HTTPS sites as a minimal step to protect your account. And if you ever see a website whose security certificate used to work but is suddenly broken, close your browser, click “New Identity” under the onion in the menu bar, and then fire your browser back up.